This tool demonstrates the power of UAC bypasses and built-in features of Windows.

Related tags

Cryptography Auto-Elevate
Overview

Auto-Elevate

This tool demonstrates the power of UAC bypasses and built-in features of Windows. This utility auto-locates winlogon.exe, steals and impersonates it's process TOKEN, and spawns a new SYSTEM-level process with the stolen token. Combined with UAC bypass method #41 (ICMLuaUtil UAC bypass) from hfiref0x's UACME utility, this utility can auto-elevate a low privileged Administrative account to NT AUTHORITY\SYSTEM.

The following image demonstrates using UACME combined with Auto-Elevate to go from a low-privileged Administrator account to NT AUTHORITY\SYSTEM on Windows 10 21H1.

image

The following image demonstrates escalation from a high-privileged Administrator account to SYSTEM without a UAC bypass

image

Technical Explanation

The following steps are performed by Auto-Elevate to escalate from a low-privileged Administrator to SYSTEM:

image

UACME ICMLuaUtil Bypass

  1. test

Auto-Elevate

  1. The winlogon.exe process is located by enumerating the systems running processes with CreateToolhelp32Snapshot, Process32First, and Process32Next
  2. SeDebugPrivilege is enabled for the current process via a call to AdjustTokenPrivileges, as it's required to open a HANDLE to winlogon.exe
  3. A handle to the winlogon.exe process is opened by calling OpenProcess, for this call PROCESS_ALL_ACCESS is used (however, it's overkill)
  4. A handle to winlogon's process token is retrieved by calling OpenProcessToken combined with the previously obtained process handle 
  5. The user (SYSTEM) of winlogon is impersonated by calling ImpersonateLoggedOnUser
  6. The impersonated token handle is duplicated by calling DuplicateTokenEx with SecurityImpersonation, this creates a duplicated token we can use
  7. Using the duplicated, and impersonated token a new CMD instance is spawned by calling CreateProcessWithTokenW

To-Do

  • Implement a standalone version of method 41 from UACME (or similar) to automate the process further

MITRE ATT&CK Mapping

  • Token Manipulation: T1134
  • Access Token Manipulation: Token Impersonation/Theft: T1134.001
  • Access Token Manipulation: Create Process with Token: T1134.002
  • Access Token Manipulation: Make and Impersonate Token: T1134.003
You might also like...
FCracker is a command line tool designed to brute force encrypted files like zip, 7z, rar, pdf etc.

FCrack is a command-line tool designed to brute force encrypted files like zip, 7z, rar, pdf, gpg etc.

null 23 Dec 21, 2022
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.

RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. Using raw RDP cache tile bitmaps extracted by tools like e.g. ANSSI's BMC-Tools as input, it provides a graphical user interface and several placement heuristics for stitching tiles together so that meaningful images or even full screenshots can be reconstructed.

Bundesamt für Sicherheit in der Informationstechnik 176 Jan 2, 2023
UnrealKey is a tool for automatically finding the AES-256 decryption keys for Unreal Engine 4 encrypted pak files.

UnrealKey UnrealKey is a tool for automatically finding the AES-256 decryption keys for Unreal Engine 4 encrypted pak files.

Devin Acker 39 Dec 17, 2022
CoinBrowser is a tool for Freqtrade where the program writes pairs into text file to be used with spesific exchange.
CoinBrowser is a tool for Freqtrade where the program writes pairs into text file to be used with spesific exchange.

CoinBrowser CoinBrowser is a tool for Freqtrade where the program writes pairs into text file to be used with spesific exchange. Data for this program

null 25 Dec 14, 2022
A tool to decrypt Call of Duty: World War II's Fast File

A tool to decrypt Call of Duty: World War II's Fast File. This tool was made to allow people making HUDs in Call of Duty: Black Ops III's mod tools to aquire the assets needed to port HUDs from Call of Duty: World War II.

Philip 5 Sep 3, 2022
SM2 simple tool class(C++)/function(C) written using openssl EVP (Based on OpenSSL 1.1.1).

sm2-EVP This project is a simple sm2 tool class(C++)/function(C) written using openssl EVP. Capable Function Brief CPP C GenEcPairKey Generate SM2 Key

Sovea 6 Nov 26, 2022
Windows Elevation

What's this This project is mainly used to collect the commonly used exp of Windows platform and give the relevant repair scheme. On the one hand, it

Al1ex 503 Dec 28, 2022
PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (CVE-2021-34527, CVE-2021-1675) proof of concept exploits

PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (CVE-2021-34527, CVE-2021-1675) Summary This is a remote code execution vulnerability tha

Jay K 72 Nov 18, 2022
How to exploit a vulnerable windows driver. Exploit for AsrDrv104.sys
How to exploit a vulnerable windows driver. Exploit for AsrDrv104.sys

Exploit and Proof of Concept (PoC) for CVE-2020-15368. Asrock repackaged rweverything driver for their RGB controller configuration tool and signed it. They "protect" it by encrypting their ioctls...lol. We found this CVE by accident last summer, and afaik the driver still isn't patched. The impact is of course arbitrary code execution in kernel, etc. So enjoy this "0day" lol.

Stephen Tong 354 Jan 2, 2023
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
null
GitHub
Onix is a decentralized blockchain project built on Bitcoin's UTXO model

What is Onix? Onix is a decentralized blockchain project built on Bitcoin's UTXO model, with support for Ethereum Virtual Machine based smart contract

Onix CryptoCurrency Development 4 Dec 16, 2021
x509cert is a tool and library for generating X.509 certificates and certificate requests.

x509cert is a tool and library for generating X.509 certificates and certificate requests. It is written in C99 and uses BearSSL to decode keys and compute signatures.

Michael Forney 10 Sep 5, 2022
Text-Crypt is a tool which encrypts and decrypts texts using a specific and certain key.

Text-Crypt is a tool which encrypts and decrypts texts using a specific and certain key. This tool uses Caesar Cypher Algorithm to encrypt and decrypt a given text.

AnonabdulJ 4 Dec 24, 2021
Library and command line tool to detect SHA-1 collision in a file

sha1collisiondetection Library and command line tool to detect SHA-1 collisions in files Copyright 2017 Marc Stevens [email protected] Distributed

Marc Stevens 1.2k Dec 29, 2022
A useful tool for identifying the architecture, platform type, compiler, and operating system specifications by preprocessor feature support.

Platform-Detector Cross-Platform Information Detector It is a useful tool for identifying the architecture, platform type, compiler, and operating sys

Kambiz Asadzadeh 10 Jul 27, 2022
BlackDex is an Android unpack(dexdump) tool, it supports Android 5.0~12 and need not rely to any environment.

BlackDex is an Android unpack(dexdump) tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

null 4.3k Jan 8, 2023
A Powerful, Easy-to-Use, Compact, Cross-Platform and Installation-Free Crypto Tool. 一个强大,易用,小巧,跨平台且免安装的加密解密签名工具。

GpgFrontend GpgFrontend is a Powerful, Easy-to-Use, Compact, Cross-Platform, and Installation-Free OpenPGP Crypto Tool. By using GpgFrontend, you can

Saturn&Eric 203 Jan 7, 2023
Stegreg is a steganography tool made in C++ that encrypt and hide your data inside an image.

Stegreg Introduction Stegreg is a steganography tool made in C++ that encrypt and hide your data inside an image. Installation git clone https://githu

0UR4N05 29 Dec 11, 2022
wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.

Axel Souchet 1.1k Dec 30, 2022
Rubicon - a New Custom Encryption Algorithm/Tool

Rubicon - a New Custom Encryption Algorithm/Tool Disclaimer DO NOT use this project for purposes other than legitimate red teaming/pentesting jobs

null 27 Dec 13, 2022